Cryptographic compliance guide: PCI, FIPS, and more
Compliance can be the most immediate challenge organizations face when deploying new cryptographic infrastructure. A smaller company developing a SoftPOS application may want to get their product to market as soon as possible, but first they have to make sure their solution complies with the necessary standards. Compliance is not only a box that must be checked in order to do business — it’s a guarantee of trust among both customers and business partners. To help demystify the concept of compliance, this post will discuss several of its most common forms that organizations must navigate throughout their day-to-day cryptographic operations.
When it comes to cryptographic compliance standards, few are as widely accepted as the Payment Card Industry (PCI). PCI is a regulatory body founded by several global financial services corporations. The most widely known standard is the PCI Data Security Standard (PCI DSS) which is a set of compliance standards created to protect cardholder data.
The PCI Security Standards Council (PCI SSC) is a global forum responsible for formulating and managing an array of international compliance standards, including PCI HSM, PCI PIN, and PCI P2PE. The PCI SSC is led by an executive committee comprising representatives from American Express, Discover, JCB International, Mastercard, UnionPay and Visa Inc, who set policy for the organization.
PCI compliance is not enforced by governments or legal systems; rather, it is typically enforced by the contracts between businesses, merchant service providers, acquiring banks, and/or card networks. If an organization that handles payment card data fails to comply with PCI, they can be liable to penalty fees imposed by payment networks. But PCI compliance is not just sought after because of the penalties imposed for its violation. It signifies that an organization has taken steps to secure its systems, fostering trust among its partners and customers. In the payments sector in particular, this trust is vital.
PCI maintains different standards that apply to different aspects of the payment industry. Let’s take a look at those more common in the cryptography industry:
PCI PTS HSM
HSMs are the backbone of payments processing infrastructure. They are physically and logically tested against the rigorous PCI PTS HSM standard. Organizations can limit their compliance scope by using HSMs certified by this standard.
PIN transactions occur when a cardholder uses their payment card to transfer funds into a merchant’s bank. PCI PIN provides the framework by which payment acquirers and issuers protect PIN transactions. The standard encompasses rules for PIN printing, payment key management, and key injection. It is most relevant to organizations that deploy and maintain payment terminals, which require secure key loading. It also applies to HSM providers (including cloud HSM services).
The Federal Information Processing Standard (FIPS) was developed by the United States government to establish security requirements for computer systems. FIPS 140 is the set of FIPS requirements that pertain to hardware security modules, with FIPS 140-2 being the current instance of FIPS 140 in use. (FIPS 140-3 requirements have been publicly announced, but as of now, no certifications have been issued.)
FIPS 140-2 measures an HSM’s level of compliance in terms of physical hardware (including ports, interfaces, and tamper-proof casing), logical security (like roles, permissions, and authentication), and operational environment. FIPS 140-2 comprises four levels in total, going up to FIPS 140-2 Level 4. Although FIPS was first applied within the United States, it is recognized in countries around the world due to its comprehensiveness.
The General Data Protection Regulation (GDPR) was formulated by the European Union (EU) to govern data privacy and data security. It is a binding regulation that determines how the data of EU citizens is to be processed, transported, and stored. Some of the better-known provisions of the GDPR are that it grants individuals the right to request that their personal data be removed from databases, and that individuals have the right to opt-in to programs where their data is collected by organizations, rather than having to opt-out. It also requires organizations to inform users when their data was subjected to a breach.
The EU adopted the GDPR in 2016. The regulation went into enforcement in 2018. Organizations have maintained compliance by investing in data security infrastructure centered around HSMs. HSMs that are validated under standards like PCI and FIPS are well suited to securing customer data and ensuring GDPR compliance due to the high level of security involved.
IT Act, 2000 (India)
India is quickly becoming a global leader in payments processing and financial technology services. The Information Technology Act was passed in 2000 and updated in 2008 to provide a regulatory framework to protect private data and payment credentials. Its intention is to protect electronic commerce as well as mitigate (and establish penalties for) cybercrime. One of its provisions is that organizations must use public key infrastructure (PKI) and certificate authority (CA) to validate the integrity of messages (which can include those sent to and from payment devices and applications). Though this compliance requirement may seem complex, its solution is fairly straightforward. Organizations can deploy hardware security modules (HSMs) or other key management solutions to secure private keys and establish a CA with which to authenticate data.
In this post, we’ve covered PCI, FIPS, GDPR, and the IT Act, 2000 — standards and compliance requirements that, combined, apply to a significant portion of global payments and technology industries. They all share one thing: the best way for organizations around the world to meet compliance requirements is to deploy strong cryptographic infrastructure backed by HSMs with a high level of physical and logical security. Being able to offload encryption, data protection, and key management processes to HSMs lays a foundation of compliance and data security.